Okay, I'm about 6 months behind on writting this post so if the world has changed in 6 months, please add comments and I'll update. I'm shocked at how difficult it has been to select a standard firewall for the SMB space. I THINK I've tried them all and and have been surprised and how there just isn't one that has all the features I want. With SBS 2008 removing ISA, the need to have a firewall solution was key. I'll admit, I love ISA and though many partners didn't we deployed it with SBS as often as we could. If you knew how to set it up (and that's why customer' need partners like us!), ISA gave Enterprise security to SMB's like no other product yet. After being disappointed in the change, I know find that I really like not having the firewall and the SBS server on the same box. The ability to reboot the server and keep Internet going has given much more flexibility not to mention a firewall appliance typically restarts much faster than a server reboot. I'm still surprised MS didn't work with a partner to offer a low-end ISA appliance....but I digress.
In my quest for our standard firewall, I of course looked at Cisco's ASA....it's a good firewall but I always struggle with the fact that they come obviously from the network world. I'm a GUI guy (so shoot me) and so many times to get a ASA setup correct, you really need to do it all from the console. Ask for support and they have you go to the console. Tell them you want to use the GUI and you immediately get moved to the moron designation. And dealing with IPSec tunnels with the Cypto Map this and Crypto Map that...it's just not that intuitive. That being said, Cisco support was pretty good when I call and would jump on the device and fix my issues very quickly.
However, based on Scott Cover's blog entry and the fact that they spend time working with the MSP community I jumped all in with Calyptix. Signed up as a partner, ordered a NFR, and even sold one in my first week to a large customer for their lab environment. It's considered a UTM and maybe it is. My question is "is it a firewall?". So what's missing? Well firewall rules for one. I couldn't add rules and move the up and down in priority. Calyptix support says that's coming. So if you're use to ISA or Checkpoint, you just don't have that power right now.
The big shock for me was trying to set up an IPSec tunnel to a Cisco ASA. The phase 1 and phase 2 settings just weren't there. They had some IPSec settings but not all of the industry standard settings. I believe what's going on is the settings are of course in the BSD firewall underneath but just not exposed through their GUI.
So to me, this isn't ready for what we need to do. If you have a very small office and just want to plug in a simple UTM then this may be the way to go. But we wanted a UTM that handled UTM functionality but also gave us Enterprise features when we needed it.
What's positive about Calyptix? The company! I think that's were you get the good reviews on Calyptix. They're based out of Charlotte, NC so that means English speaking support (well, if you speak Southern like I do). The main engineer/developer is Lawrence and he is awesome and will do what ever he can to help you and fix your problem. In my case he wasn't able to meet a core requirement and get the Calyptix to connect to ASA but it wasn't for lack of effort. They've just been focusing in the SMB space and haven't had to add those features yet. In time, I think they will. They may have it all now...I should have wrote this post 6 months ago because I know how frustrating it was for me when I was trying to research firewalls.
In summary, Calyptix is a great company but their product is still young. I'll certainly keep and eye on their product.
For logging, earlier versions were okay...the current versions are great. It's what you'd expect from Checkpoint. A very clean, colored, self explanatory log. Of all the firewalls I wanted to work with this was the best. When trying to make a IPSec tunnel to a Cisco ASA (the one the Calyptix couldn't connect with...see previous post) the Checkpoint handled it effortlessly.
So why's it not the #1 choice for us. A couple reasons, while the logging is great..it's unfortunately missing some flexibility. If you want to filter the view by all traffic to or from an IP or only a certain port...you can't do that. You get all the log entries and just have to scroll through. ASA and SonicWall both do better on the filtering though not as good on the display.
Another minor issue is the content filtering can't kill your site if their service has an issue. Web Content Filtering is when you block sites based on categories (i.e. porn, sports, gambling, etc.). Checkpoint has the best UI for managing this I've seen in the SMB space. Once (and only once), that service had an issue and it just bogged the firewall down. Makes sense as it needs to check with the continuously updated service to see how the site is classified. That continuous updating part is the real value but if those servers have an issue then so does your location. I'm sure they have big time redundancy but we did have about 30 minutes during our testing one night where their was an issue and it will really affect your office.
Also, when connecting to another network via IPSec tunnel you're limited to 3 network ranges. The firewall can handle more but the GUI limits you to 3. Probably isn't a typical problem for SMB office but for us it came up a few times. Our partners were small but they had contracts with some large companies. Those companies had more than 3 networks on their side and to get the endpoints to talk those definitions needed to match. Out of the box, the Safe@Office can't do it. If you use their SMP Gateway solution and remotely administer the devices then you can define more then 3 networks. But that upsets me even more that it's a pure GUI restriction.
The last reason was probably the main reason...SUPPORT. CheckPoint's Safe@Office is a great product. With a few updates they would have the best SMB firewall on the market. But as a managed services provider, I need fast response for the issues I have that are affecting my customers. I don't mind chatting with support in Israel. That's what I do...bridge the gap of tech talk with remote Support departments. Vendor management is part of the value we bring. But I had several issues where level 1 couldn't resolve an issue so it go escalated and I went over a week without getting a response. That level of responsiveness was even worse than SonicWall support (and that's bad). I never did find a number for partners to call in and speak to a person after hours. The best way to get support is via online chat but both phone and online chat will close for the night so don't have problems when their closed or you'll have to wait until the next day.
So Safe@Office is the firewall we want to use but just can't right now. The GUI is slick. Managing content filtering is as intuitive and easy to use as any we'ved tested. The logging is by far the easiest to read. But it still has a few quirks that hurt in certain environments and the lack of enterprise support hurts. If CheckPoint would offer special 24x7 partner only Support were partner calls were always treated as a top priority then they could easily be #1 as an SMB firewall.